MuddyWater (also tracked as Static Kitten, Mercury, Seedworm, TEMP.Zagros, and Earth Vetala by various vendors) is a state-aligned advanced persistent threat (APT) group conducting cyber-espionage operations primarily against government, telecommunications, defense, and oil-and-gas targets in the Middle East, with secondary targeting in Europe, North America, and Asia.
In January 2022, U.S. Cyber Command publicly attributed MuddyWater to Iran's Ministry of Intelligence and Security (MOIS), describing it as a subordinate element within MOIS and releasing malware samples on VirusTotal and GitHub. This attribution was echoed in a joint advisory by CISA, the FBI, U.S. Cyber Command Cyber National Mission Force, and the UK's National Cyber Security Centre (NCSC) issued on 24 February 2022.
The group's tradecraft typically involves:
- Spear-phishing with maldocs (Microsoft Office files with malicious macros) impersonating government ministries, universities, or telecom firms.
- Use of PowerShell-based backdoors such as POWERSTATS (also called POWERMUD), and later toolsets including SHARPSTATS, DELPHSTATS, Canopy/Starwhale, Mori, and POWGOOP.
- Living-off-the-land techniques, abusing legitimate remote-management tools like ScreenConnect, RemoteUtilities, and Atera for persistence.
- DNS tunneling and compromised intermediary servers for command-and-control obfuscation.
MuddyWater has been linked to intrusions against Turkish government bodies, Israeli organizations, Saudi and Emirati entities, Jordanian government agencies, and Kurdish political groups. It is generally assessed as distinct from but operationally adjacent to other Iran-nexus clusters such as APT33 (Elfin), APT34 (OilRig), and APT35 (Charming Kitten).
For policy researchers, MuddyWater is frequently cited as evidence of MOIS's expanding offensive cyber portfolio, alongside the IRGC's better-known operations, and features in discussions of U.S. and EU sanctions targeting Iranian intelligence cyber activity.
Example
In the February 2022 joint CISA-FBI-CNMF-NCSC advisory, MuddyWater was identified as conducting espionage intrusions against telecommunications and defense organizations across the Middle East, Europe, and North America on behalf of Iran's MOIS.
Frequently asked questions
U.S. Cyber Command and a joint CISA/FBI/NCSC advisory in early 2022 attributed MuddyWater to Iran's Ministry of Intelligence and Security (MOIS), describing it as a subordinate element of that ministry.
Keep learning